How can I resolve an “Access Error” after configuring my VPC flow log?

3 minute read

After I configure my virtual private cloud (VPC) flow log, I receive an "Access Error."

Short description

If you have a permissions issue when you configure your VPC flow log, then you see the following error:

"Access Error. The IAM role for your flow logs does not have sufficient permissions to send logs to the CloudWatch log group."

The following scenarios commonly cause this error:

The Identity and Access Management (IAM) role for your flow log doesn't have permission to publish flow log records to the Amazon CloudWatch log group.
The IAM role doesn't have a trust relationship with the flow logs service.
The trust relationship doesn't specify the flow logs service as the principal.

Resolution

The IAM role for your flow log doesn't have permission to publish flow log records to the CloudWatch log group

The IAM role that's associated with your flow log must have sufficient permissions to publish flow logs to the specified log group in CloudWatch Logs. The IAM role must belong to your AWS account. Make sure that the IAM role has the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    }
  ]
}

The IAM role doesn't have a trust relationship with the flow logs service

Make sure that your role has a trust relationship that allows the flow logs service to assume the role:

1. Log in to the IAM console.

2. Select Roles.

3. Select VPC-Flow-Logs.

4. Select Trust relationships.

5. Select Edit trust policy.

6. Delete the current code in this section, and then enter the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

7. Select Update policy.

Trust relationships give you control over what services are allowed to assume roles. In this example, the relationship allows the VPC Flow Logs service to assume the role.

The trust relationship doesn't specify the flow logs service as the Principal

Make sure that the trust relationship specifies the flow logs service as the Principal:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Related information

IAM role for publishing flow logs to CloudWatch Logs

Troubleshoot VPC flow logs

Topics

Networking & Content Delivery

Relevant content

Do NW Load Balancers External IP appear in VPC Flow Logs? & VPC Flow Log timestamps?
rePost-User-3910006
asked a year ago
Is GuardDuty inspecting the AWS Firewall flow logs or VPC flow logs only ?
JFN
asked 15 days ago
VPC flow logs difference with VPC traffic mirroring
Accepted Answer
JosepMaria
asked 10 months ago
Capture Flow Logs for VPC privatelink
AWS-User-1802444
asked a year ago
AWS VPC Flow Logs - centralized
Orlando
asked 6 months ago
How do I activate Amazon VPC Flow Logs?
AWS OFFICIALUpdated 9 months ago
How do I monitor traffic in my VPC with flow logs?
AWS OFFICIALUpdated a year ago
How can I troubleshoot the "You have exceeded the maximum limit for Lambda HyperPlane elastic network interfaces for your VPC" error when configuring a Lambda function in an Amazon VPC?
AWS OFFICIALUpdated a year ago
How can I use CloudWatch Logs Insights queries with my VPC flow log?
AWS OFFICIALUpdated 2 years ago
Support Automation Workflow (SAW) Runbook: Collect Amazon Connect contact flow logs
EXPERT
Maya Karalic
published a year ago